Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:40 PM
Dark Reading
Dark Reading
Products and Releases


Cyber criminals targeting public institutions with modified form of Qbot malware

A team of leading cyber experts has identified a new strain of Qbot, malicious software that has infected over 54,000 PCs in thousands of organisations across the world. An emergency response to a Qbot attack on a public sector organisation has given BAE Systems unparalleled insight into how the updated malware infects hosts, updates itself and hides from all but a very few antivirus and malware defences.

Following an attack on the organisation in early 2016 that affected more than 500 computers and impacted the operation of critical systems, BAE Systems’ analysts discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept. These included a new ‘shape changing’ or polymorphic code, which meant that each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.

In addition, automated updates to the malware generated new, encrypted versions every six hours, outpacing efforts to update software on customer computers, which helped the virus to spread. The new Qbot also checks for signs that it is running in a ‘sandbox’ – a tool used to spot malware before it reaches users’ inboxes. Sandboxing is accepted by many organisations as the de facto defence against malicious email content, and malware authors are now going to great lengths to defeat it.

Professional cyber criminals were found to be specifically targeting public organisations such as police departments, hospitals and universities. BAE Systems’ expert analysis revealed Qbot’s international network of infected machines currently runs to more than 54,000 PCs due to the malware’s ability to spread automatically without any outside instruction. Due to a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.

Adrian Nish, Head of Cyber Threat Intelligence at BAE Systems, commented:

“Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem.

“This case illustrates that organisations must remain alert to, and defend against, new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly.”

The team at BAE Systems worked to understand the malware’s own command and control network to work out how stolen data was being uploaded. In addition, they were able to identify how the programmers altered the destination of the stolen data each time, one of the ways in which the attackers can avoid detection and interception.

BAE Systems has published a White Paper on the Qbot malware. To view or download a copy of the full report, please click here.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.